<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://best.openssf.org/assets/css/style.css">
<link rel="stylesheet" href="checker.css">
<script src="checker.js"></script>
<script src="deserialization.js"></script>
<link rel="license" href="https://creativecommons.org/licenses/by/4.0/">

<!-- See create_labs.md for how to create your own lab! -->

</head>
<body>
<!-- For GitHub Pages formatting: -->
<div class="container-lg px-3 my-5 markdown-body">
<h1>Lab Exercise deserialization</h1>
<p>
This is a lab exercise on developing secure software.
For more information, see the <a href="introduction.html" target="_blank">introduction to
the labs</a>.

<p>
<h2>Task</h2>
<p>
<b>Please change the code below to prevent insecure deserialization vulnerability.</b>

<p>
<h2>Background</h2>
<p>
Insecure Deserialization happens when the application’s deserialization process is exploited, allowing an attacker to manipulate the serialized data and pass harmful data into the application code.
<p>
The safest way to prevent this vulnerability is to not accept serialized objects from untrusted sources (user-controllable data). However, if you must accept them, there are some mitigations you can implement. In this lab, we will apply a couple of them.

<p>
<h2>Task Information</h2>
<p>

<p>
The code below is called after an application login page. After login, a cookie is set up with the user profile, then in the homepage the cookie is deserialized and uses the username in a greeting message.
<p>
If you take a closer look at this code, you’ll see that it’s using <tt>eval()</tt> to deserialize the data from the cookie. This can be very dangerous as <tt>eval()</tt> evaluates a string as JavaScript code, which means any code inside that string will be executed, opening the possibility of Remote Code Execution (RCE) and Code Injection attacks.
<p>
For this lab we want to fix this by using an approach that prevents executing code from the attacker. We will also add some simple input validation to make sure the data we receive from inside the JSON data is what we are expecting.
<ol>
  <li>
    Replace <tt>eval()</tt> with <tt>JSON.parse()</tt>. JSON.parse( ) does not execute any JavaScript code like functions or methods, making it a much more secure approach for deserialization.
  </li>
  <li>Besides checking if <tt>data.username</tt> exists, perform simple validations of its value. Ensure it is a string (<tt>typeof data.username == 'string'</tt>) and that it's less than 20 characters long (<tt>data.username.length &lt; 20</tt>).</li>
</ol>

<p>
Use the “hint” and “give up” buttons if necessary.

<p>
<h2>Interactive Lab (<span id="grade"></span>)</h2>
<p>
<p>
Change the code below, adding the mitigation steps to prevent Insecure Deserialization:
<ol>
  <li>Use a deserialization approach that prevents code execution of untrusted code.</li>
  <li>Validate the username making sure a reply is only sent if it's a <b>string</b> and less than <b>20 characters</b>.</li>
</ol>
<form id="lab">

<pre><code
>const express = require('express');
const cookieParser = require('cookie-parser');

const app = express();

app.use(express.json());
app.use(cookieParser());

app.get('/', (req, res) => {
  if (req.cookies.profile) {
    try {
      const base64Decoded = Buffer.from(
        req.cookies.profile, 'base64').toString('utf8');
      <input id="attempt0" type="text" size="60" spellcheck="false"
             value="const data = eval('(' + base64Decoded + ')');">

      <textarea id="attempt1" rows="3" cols="60" spellcheck="false"
>if (data.username) {</textarea>
            // To prevent XSS, avoid res.send with untrusted data
            res.render('index', {username: data.username});
      }

    } catch (err) {
      res.send('An error occurred.');
    }
  } else {
    res.send("Please Login");
  }
});
</code></pre>


<button type="button" class="hintButton">Hint</button>
<button type="button" class="resetButton">Reset</button>
<button type="button" class="giveUpButton">Give up</button>
<br><br>
<p>
<i>This lab was developed by Camila Vilarinho.</i>
<br><br>
<p id="correctStamp" class="small">
<textarea id="debugData" class="displayNone" rows="20" cols="65" readonly>
</textarea>
</form>
</div><!-- End GitHub pages formatting -->
</body>
</html>
